Author Topic: mystery virus  (Read 49770 times)

Offline grue155

  • Comodo's Hero
  • *****
  • Posts: 1172
Re: mystery virus
« Reply #30 on: December 16, 2007, 09:17:53 PM »
here's the thing... i dont own a copy of unreal tournament, much less play it.  that was the first google link for the file.

That makes it a removal target. When c:\Documents goes out, the cmdlineext02 is going to go with it. These two may be working together to prevent either from being stopped. So a straightforward process-kill may not work. It's going to take trying it to find out.

Offline kesuki

  • Comodo Family Member
  • ***
  • Posts: 54
Re: mystery virus
« Reply #31 on: December 16, 2007, 09:41:38 PM »
found a few services.
C:\docume~1\ryan\locals~1\temp\ehsxbupoyf.exe
C:\docume~1\ryan\locals~1\temp\gotc.exe
C:\docume~1\ryan\locals~1\temp\pbt.exe

Offline kesuki

  • Comodo Family Member
  • ***
  • Posts: 54
Re: mystery virus
« Reply #32 on: December 16, 2007, 09:44:11 PM »
Not knowing your hardware, I don't know if this would make sense. But would it be possible to more the cd-r burner to your working machine? Just for a while, to get a clean bartpe build.

Running a disk as a slave drive is a safe thing to do, so long as you are very very careful not to run anything from the slave drive itself. In a FreeBSD environment, the equivalent would be a "mount -o noexec". To my knowledge, Windows has no such equivalent, so it would mean running very carefully. The cd-r would be safer, if you can get one.
yes and the first thing windows does when a slave drive is attached is to auto run the drive, well at least with the usb drive thing, no clue what windows does on startup when it detects a slave drive.

Offline kesuki

  • Comodo Family Member
  • ***
  • Posts: 54
Re: mystery virus
« Reply #33 on: December 16, 2007, 09:56:06 PM »
That makes it a removal target. When c:\Documents goes out, the cmdlineext02 is going to go with it. These two may be working together to prevent either from being stopped. So a straightforward process-kill may not work. It's going to take trying it to find out.
well here's the thing windows keeps saying that dll and that directory dont exist when i try to delete them or go to that directory.  but the rootkit scanner found them... as far as making a secure barts pe goes, i just will use vmware to dl and burn the files needed on the bart's pe and burn them from my _clean_ machine at home.  because of the way vmware works even if the virus wanted to screw this up it couldn't because vmware clearly shows if the cdr is attached (for use with vmware) or 'detached' for use with the host os. a cdr can only be used by 1 application at a time and since vmware totally locks the drive from any other process not even the worst virus can infect the cd-r while vmware has the drive in it's control.  that was how i made a 'clean' driver disk on a system with a rootkit in the first place. but barts pe needs to run from windows so that i have to do at home. its the only system i know is clean.

(vmware is a big dl and so is a 'linux' vmware appliance, but both dls are 'free' for non commercial use, the second being completely free (although a vmware appliance is just a bunch of files without the app to run it) )  i was about to run the scanning programs on my dad's pc (the slow one) ill post logs when they finish.

Offline grue155

  • Comodo's Hero
  • *****
  • Posts: 1172
Re: mystery virus
« Reply #34 on: December 16, 2007, 10:23:06 PM »
So much for the slave drive thought. You're right, in that the cd-r is the way to go. And it sounds like you've got a workaround thru the VM to keep the malware at bay.

The rootkit stuff isn't letting you get to the c:\documents stuff, but it's there. Having found those services, and the two processes, we can probably disable the rootkit to get rid of it.

Download "OTMoveit by Oldtimer" from http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Give it these 5 pathnames:

C:\docume~1\ryan\locals~1\temp\ehsxbupoyf.exe
C:\docume~1\ryan\locals~1\temp\gotc.exe
C:\docume~1\ryan\locals~1\temp\pbt.exe
C:\DOCUME~1\Ryan\LOCALS~1\Temp\CmdLineExt02.dll
C:\Documents

Run the program, and it will undoubtedly ask you to reboot. That's when it will move those 5 files off to a backup directory. It will create a log and backup directory in c:\_OTMoveit.

After the reboot, do a Deckard's scan. There should be something more observable that what there has been, if the rootkit has been disabled.

Offline kesuki

  • Comodo Family Member
  • ***
  • Posts: 54
Re: mystery virus
« Reply #35 on: December 16, 2007, 10:41:00 PM »
good news. opera still loads this page, although ie blocks it (w/ default 'no page error)
had opera installed on dad's pc because i thought it was faster than ie with his low ram.

here are the logs.
Deckard's System Scanner v20071014.68
Run by ryan on 2007-12-16 20:58:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
78: 2007-12-17 04:59:08 UTC - RP152 - Deckard's System Scanner Restore Point
77: 2007-12-15 07:32:50 UTC - RP151 - System Checkpoint
76: 2007-12-14 06:35:30 UTC - RP150 - System Checkpoint
75: 2007-12-13 05:32:35 UTC - RP149 - System Checkpoint
74: 2007-12-12 04:32:36 UTC - RP148 - System Checkpoint


-- First Restore Point --
1: 2007-09-17 14:32:04 UTC - RP75 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 85% (more than 75%).
Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as ryan.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:47 PM, on 12/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\LEXBCES.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\LEXPPS.EXE
F:\Program Files\Comodo\CBOClean\BOCORE.exe
F:\Program Files\Comodo\Firewall\cmdagent.exe
F:\Program Files\McAfee\MBK\MBackMonitor.exe
F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
f:\program files\common files\mcafee\mna\mcnasvc.exe
f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
F:\Program Files\McAfee\MPF\MPFSrv.exe
F:\Program Files\McAfee\MSK\MskSrver.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\SiteAdvisor\6172\SAService.exe
F:\WINDOWS\system32\svchost.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
F:\WINDOWS\Explorer.EXE
f:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
F:\Program Files\SiteAdvisor\6172\SiteAdv.exe
F:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
F:\PROGRA~1\Comodo\CBOClean\BOC425.exe
F:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
F:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
F:\Program Files\Comodo\Firewall\CPF.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\WINDOWS\system32\taskmgr.exe
F:\Program Files\Opera\Opera.exe
F:\Documents and Settings\ryan\Application Data\Opera\Opera\nyet.exe
F:\Documents and Settings\ryan\Desktop\gmer\gmer.exe
F:\PROGRA~1\TRENDM~1\HIJACK~1\ryan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - F:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - f:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - F:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - F:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [FLMK08KB] F:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SiteAdvisor] F:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [BOC-425] F:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [McAfee Backup] F:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] F:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "F:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [mcagent_exe] F:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [COMODO Firewall Pro] "F:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [HXDL.EXE] F:\Program Files\Cosmi\HelpExpress\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE" -run
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: [at]xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E249E087-04D9-408A-8225-7E6BC91415DF}: NameServer = 66.115.71.53,24.196.64.53
O20 - AppInit_DLLs: 
O23 - Service: McAfee Application Installer Cleanup (0149351197866411) (0149351197866411mcinstcleanup) - Unknown owner - F:\WINDOWS\TEMP\014935~1.EXE (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BOCore - COMODO - F:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - F:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - F:\WINDOWS\system32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - F:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MBackMonitor - McAfee - F:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - f:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - F:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - F:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - F:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 8377 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BOCore - f:\program files\comodo\cboclean\bocore.exe <Not Verified; COMODO; COMODO BOClean - Anti-Malware>

S2 0149351197866411mcinstcleanup (McAfee Application Installer Cleanup (0149351197866411)) - f:\windows\temp\014935~1.exe f:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-12-15 01:00:17       364 --a------ F:\WINDOWS\Tasks\McDefragTask.job
2007-12-01 01:00:12       366 --a------ F:\WINDOWS\Tasks\McQcTask.job


-- Files created between 2007-11-16 and 2007-12-16 -----------------------------

2007-12-16 20:57:47         0 d-------- F:\Program Files\Trend Micro
2007-12-16 20:39:52         0 d-------- F:\WINDOWS\LastGood
2007-11-22 15:37:02       229 --a------ F:\WINDOWS\PowerReg.dat
2007-11-22 15:36:40         0 d-------- F:\Program Files\Hasbro Interactive


-- Find3M Report ---------------------------------------------------------------

2007-12-16 20:39:50         0 d-------- F:\Program Files\McAfee
2007-11-23 08:29:22         0 d-------- F:\Documents and Settings\ryan\Application Data\Comodo
2007-11-23 07:20:25         0 d-------- F:\Program Files\Comodo
2007-11-18 07:48:21         0 d-------- F:\Program Files\Common Files\McAfee
2007-11-05 22:55:26         0 d-------- F:\Program Files\Common Files\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
09/19/2007 06:15 AM   329032   --a------   f:\PROGRA~1\mcafee\msk\mcapbho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [01/09/2004 01:54 AM F:\WINDOWS\SOUNDMAN.EXE]
"ATICCC"="F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [01/02/2006 03:41 PM]
"FLMK08KB"="F:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE" [07/15/2007 06:09 PM]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 03:00 AM]
"NvCplDaemon"="F:\WINDOWS\system32\NvCpl.dll" [10/22/2006 11:22 AM]
"nwiz"="nwiz.exe" [10/22/2006 11:22 AM F:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="F:\WINDOWS\system32\NvMcTray.dll" [10/22/2006 11:22 AM]
"SiteAdvisor"="F:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [03/30/2007 07:42 AM]
"BOC-425"="F:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [08/08/2007 06:49 PM]
"WinampAgent"="F:\Program Files\Winamp\winampa.exe" [05/14/2007 02:22 PM]
"McAfee Backup"="F:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [01/16/2007 12:59 PM]
"MBkLogOnHook"="F:\Program Files\McAfee\MBK\LogOnHook.exe" [01/08/2007 10:22 AM]
"Adobe Photo Downloader"="F:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [03/09/2007 11:09 AM]
"mcagent_exe"="F:\Program Files\McAfee.com\Agent\mcagent.exe" [08/03/2007 10:33 PM]
"COMODO Firewall Pro"="F:\Program Files\Comodo\Firewall\CPF.exe" [11/23/2007 09:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HXDL.EXE"="F:\Program Files\Cosmi\HelpExpress\HXDL.exe" []
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [02/28/2006 04:00 AM]
"swg"="F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/18/2007 09:35 AM]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 9:05:26 PM]
Microsoft Office.lnk - F:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 12:15:54 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
[at]=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
[at]=""


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3cdf0fe4-5776-11dc-b872-0004615d60ab}]
AutoRun\command- E:\LaunchU3.exe -a

*Newly Created Service* - GMER



-- End of Deckard's System Scanner: finished at 2007-12-16 21:07:33 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Sempron(tm) 
Percentage of Memory in Use: 53%
Physical Memory (total/avail): 255.48 MiB / 119.64 MiB
Pagefile Memory (total/avail): 636.16 MiB / 132.09 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1935.96 MiB

A: is Removable (No Media)
D: is CDROM (No Media)
F: is Fixed (NTFS) - 37.27 GiB total, 9.09 GiB free.

\\.\PHYSICALDRIVE0 - MAXTOR 6L040J2 - 37.28 GiB - 1 partition
  \PARTITION0 (bootable) - Installable File System - 37.27 GiB - F:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: McAfee Personal Firewall v (McAfee) Disabled
FW: COMODO Firewall Pro v2.3.035 (COMODO)
AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:[at]xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:[at]xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:[at]xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:[at]xpsp3res.dll,-20000"
"F:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="F:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=F:\Documents and Settings\All Users
APPDATA=F:\Documents and Settings\ryan\Application Data
CommonProgramFiles=F:\Program Files\Common Files
COMPUTERNAME=NONE-0BC89BFF5D
ComSpec=F:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=F:
HOMEPATH=\Documents and Settings\ryan
LOGONSERVER=\\NONE-0BC89BFF5D
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=F:\WINDOWS\system32;F:\WINDOWS;F:\WINDOWS\System32\Wbem;F:\Program Files\ATI Technologies\ATI.ACE\;F:\Program Files\Common Files\Adaptec Shared\System
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=F:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=F:
SystemRoot=F:\WINDOWS
TEMP=F:\DOCUME~1\ryan\LOCALS~1\Temp
TMP=F:\DOCUME~1\ryan\LOCALS~1\Temp
USERDOMAIN=NONE-0BC89BFF5D
USERNAME=ryan
USERPROFILE=F:\Documents and Settings\ryan
windir=F:\WINDOWS


-- User Profiles ---------------------------------------------------------------

roy and dena (admin)
ryan (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 F:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> F:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe® Photoshop® Album Starter Edition 3.2 --> MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
ATI - Software Uninstall Utility --> F:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{EA9FAF16-0E5C-42C4-9742-9AF8D5F6D69B}
ATI Display Driver --> rundll32 F:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL[at]16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Axis & Allies Iron Blitz --> F:\WINDOWS\IsUninst.exe -f"F:\Program Files\Hasbro Interactive\Axis & Allies Iron Blitz\Uninst.isu"
BOClean --> F:\WINDOWS\UNBOC.EXE
COMODO Firewall Pro --> F:\Program Files\Comodo\Firewall\fwconfig.exe -uninstalln
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
eMusic - 50 Free MP3 offer --> "F:\Program Files\Winamp\eMusic\Uninst-eMusic-promotion.exe"
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "f:\program files\google\googletoolbar1.dll"
HijackThis 2.0.2 --> "F:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Lexmark Supplies Monitor --> F:\WINDOWS\system32\LXSMUNIN.EXE
Lexmark Z55 --> F:\WINDOWS\system32\spool\drivers\w32x86\3\LXAKUN5C.EXE -dLexmark Z55
McAfee SecurityCenter --> F:\Program Files\McAfee\MSC\mcuninst.exe
McAfee Uninstall Wizard --> F:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /uninstall=1 /interact=1 /script_proactive=0 /start=f:\PROGRA~1\mcafee.com\agent\uninst\comrem.dll::uninstall.htm
Microsoft Office 2000 SR-1 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Muiltmedia keyboard utility 1.1 --> F:\Program Files\Muiltmedia keyboard utility\1.1\uninst00.exe
NVIDIA Drivers --> F:\WINDOWS\system32\nvudisp.exe UninstallGUI
Opera 9.10 --> MsiExec.exe /X{5D582D33-EB35-4D77-B7AF-403322D947E6}
Photo Editor Plus --> F:\WINDOWS\uninst.exe -f"F:\Program Files\Cosmi\Photo Editor Plus\DeIsL1.isu"  -c"F:\Program Files\Cosmi\Photo Editor Plus\_ISREG32.DLL"
pic2print --> F:\WINDOWS\Unprint.exe F:\WINDOWS\Unprint.log "Uninstall pic2print"
Realtek AC'97 Audio --> RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
VIA Rhine-Family Fast Ethernet Adapter --> Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
VideoLAN VLC media player 0.8.6c --> F:\Program Files\VideoLAN\VLC\uninstall.exe
Warcraft III: All Products --> F:\WINDOWS\War3Unin.exe F:\WINDOWS\War3Unin.dat
Winamp (remove only) --> "F:\Program Files\Winamp\UninstWA.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type52781 / Error
Event Submitted/Written: 12/16/2007 08:01:38 PM / 12/16/2007 08:01:39 PM
Event ID/Source: 5051 / McLogEvent
Event Description:
A thread in process F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 2460 (0x99c)

Thread address : 0x12209B9C

Thread message :

 Build VSCORE.14.0.0.349 / 5100.194
 Object being scanned = \Device\HarddiskVolume1\Documents and Settings\ryan\Desktop\CFP_Setup_3.0.13.268_XP_Vista_x32.exe
 by F:\WINDOWS\Explorer.EXE
 4(0)(0)
 4(0)(0)
 7200(0)(0)
 7595(0)(0)
 7005(0)(0)
 7004(0)(0)
 5006(0)(0)
 5004(0)(0)

Event Record #/Type52771 / Error
Event Submitted/Written: 11/29/2007 06:06:19 PM / 11/29/2007 06:06:21 PM
Event ID/Source: 5051 / McLogEvent
Event Description:
A thread in process F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 2896 (0xb50)

Thread address : 0x7C90EB94

Thread message :

 Build VSCORE.14.0.0.349 / 5100.194
 Object being scanned = \Device\HarddiskVolume1\Documents and Settings\ryan\Desktop\CFP_Setup_3.0.13.268_XP_Vista_x32.exe
 by F:\WINDOWS\Explorer.EXE
 4(0)(0)
 4(0)(0)
 7200(0)(0)
 7595(0)(0)
 7005(0)(0)
 7004(0)(0)
 5006(0)(0)
 5004(0)(0)

Event Record #/Type52770 / Error
Event Submitted/Written: 11/29/2007 05:13:02 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16544, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type52759 / Error
Event Submitted/Written: 11/23/2007 09:42:55 AM
Event ID/Source: 5051 / McLogEvent
Event Description:
A thread in process F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 1072 (0x430)

Thread address : 0x12209B9C

Thread message :

 Build VSCORE.14.0.0.349 / 5100.194
 Object being scanned = \Device\HarddiskVolume1\Documents and Settings\ryan\Desktop\CFP_Setup_3.0.13.268_XP_Vista_x32.exe
 by F:\WINDOWS\Explorer.EXE
 4(0)(0)
 4(0)(0)
 7200(0)(0)
 7595(0)(0)
 7005(0)(0)
 7004(0)(0)
 5006(0)(0)
 5004(0)(0)

Event Record #/Type52752 / Error
Event Submitted/Written: 11/23/2007 09:14:56 AM
Event ID/Source: 5051 / McLogEvent
Event Description:
A thread in process F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 1096 (0x448)

Thread address : 0x12209B9C

Thread message :

 Build VSCORE.14.0.0.349 / 5100.194
 Object being scanned = \Device\HarddiskVolume1\Documents and Settings\ryan\Desktop\CFP_Setup_3.0.13.268_XP_Vista_x32.exe
 by F:\WINDOWS\Explorer.EXE
 4(0)(0)
 4(0)(0)
 7200(0)(0)
 7595(0)(0)
 7005(0)(0)
 7004(0)(0)
 5006(0)(0)
 5004(0)(0)



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3991 / Error
Event Submitted/Written: 12/16/2007 08:23:06 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type3990 / Error
Event Submitted/Written: 12/16/2007 08:23:06 PM
Event ID/Source: 17 / W32Time
Event Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Event Record #/Type3989 / Error
Event Submitted/Written: 12/16/2007 08:22:51 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type3988 / Error
Event Submitted/Written: 12/16/2007 08:22:51 PM
Event ID/Source: 17 / W32Time
Event Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Event Record #/Type3983 / Error
Event Submitted/Written: 12/16/2007 08:10:29 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 29 minutes.
NtpClient has no source of accurate time.



-- End of Deckard's System Scanner: finished at 2007-12-16 21:07:33 ------------


Offline kesuki

  • Comodo Family Member
  • ***
  • Posts: 54
Re: mystery virus
« Reply #36 on: December 16, 2007, 10:44:14 PM »
dad's pc opera loads here, not sure if it can upload files though. heres the deckards.

Deckard's System Scanner v20071014.68
Run by ryan on 2007-12-16 20:58:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
78: 2007-12-17 04:59:08 UTC - RP152 - Deckard's System Scanner Restore Point
77: 2007-12-15 07:32:50 UTC - RP151 - System Checkpoint
76: 2007-12-14 06:35:30 UTC - RP150 - System Checkpoint
75: 2007-12-13 05:32:35 UTC - RP149 - System Checkpoint
74: 2007-12-12 04:32:36 UTC - RP148 - System Checkpoint


-- First Restore Point --
1: 2007-09-17 14:32:04 UTC - RP75 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 85% (more than 75%).
Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as ryan.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:47 PM, on 12/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\LEXBCES.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\LEXPPS.EXE
F:\Program Files\Comodo\CBOClean\BOCORE.exe
F:\Program Files\Comodo\Firewall\cmdagent.exe
F:\Program Files\McAfee\MBK\MBackMonitor.exe
F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
f:\program files\common files\mcafee\mna\mcnasvc.exe
f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
F:\Program Files\McAfee\MPF\MPFSrv.exe
F:\Program Files\McAfee\MSK\MskSrver.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\SiteAdvisor\6172\SAService.exe
F:\WINDOWS\system32\svchost.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
F:\WINDOWS\Explorer.EXE
f:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
F:\Program Files\SiteAdvisor\6172\SiteAdv.exe
F:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
F:\PROGRA~1\Comodo\CBOClean\BOC425.exe
F:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
F:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
F:\Program Files\Comodo\Firewall\CPF.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\WINDOWS\system32\taskmgr.exe
F:\Program Files\Opera\Opera.exe
F:\Documents and Settings\ryan\Application Data\Opera\Opera\nyet.exe
F:\Documents and Settings\ryan\Desktop\gmer\gmer.exe
F:\PROGRA~1\TRENDM~1\HIJACK~1\ryan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - F:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - f:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - F:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - F:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [FLMK08KB] F:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SiteAdvisor] F:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [BOC-425] F:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [McAfee Backup] F:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] F:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "F:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [mcagent_exe] F:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [COMODO Firewall Pro] "F:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [HXDL.EXE] F:\Program Files\Cosmi\HelpExpress\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE" -run
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: [at]xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E249E087-04D9-408A-8225-7E6BC91415DF}: NameServer = 66.115.71.53,24.196.64.53
O20 - AppInit_DLLs: 
O23 - Service: McAfee Application Installer Cleanup (0149351197866411) (0149351197866411mcinstcleanup) - Unknown owner - F:\WINDOWS\TEMP\014935~1.EXE (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BOCore - COMODO - F:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - F:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - F:\WINDOWS\system32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - F:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MBackMonitor - McAfee - F:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - f:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - F:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - F:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - F:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 8377 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 BOCore - f:\program files\comodo\cboclean\bocore.exe <Not Verified; COMODO; COMODO BOClean - Anti-Malware>

S2 0149351197866411mcinstcleanup (McAfee Application Installer Cleanup (0149351197866411)) - f:\windows\temp\014935~1.exe f:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-12-15 01:00:17       364 --a------ F:\WINDOWS\Tasks\McDefragTask.job
2007-12-01 01:00:12       366 --a------ F:\WINDOWS\Tasks\McQcTask.job


-- Files created between 2007-11-16 and 2007-12-16 -----------------------------

2007-12-16 20:57:47         0 d-------- F:\Program Files\Trend Micro
2007-12-16 20:39:52         0 d-------- F:\WINDOWS\LastGood
2007-11-22 15:37:02       229 --a------ F:\WINDOWS\PowerReg.dat
2007-11-22 15:36:40         0 d-------- F:\Program Files\Hasbro Interactive


-- Find3M Report ---------------------------------------------------------------

2007-12-16 20:39:50         0 d-------- F:\Program Files\McAfee
2007-11-23 08:29:22         0 d-------- F:\Documents and Settings\ryan\Application Data\Comodo
2007-11-23 07:20:25         0 d-------- F:\Program Files\Comodo
2007-11-18 07:48:21         0 d-------- F:\Program Files\Common Files\McAfee
2007-11-05 22:55:26         0 d-------- F:\Program Files\Common Files\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
09/19/2007 06:15 AM   329032   --a------   f:\PROGRA~1\mcafee\msk\mcapbho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [01/09/2004 01:54 AM F:\WINDOWS\SOUNDMAN.EXE]
"ATICCC"="F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [01/02/2006 03:41 PM]
"FLMK08KB"="F:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE" [07/15/2007 06:09 PM]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 03:00 AM]
"NvCplDaemon"="F:\WINDOWS\system32\NvCpl.dll" [10/22/2006 11:22 AM]
"nwiz"="nwiz.exe" [10/22/2006 11:22 AM F:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="F:\WINDOWS\system32\NvMcTray.dll" [10/22/2006 11:22 AM]
"SiteAdvisor"="F:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [03/30/2007 07:42 AM]
"BOC-425"="F:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [08/08/2007 06:49 PM]
"WinampAgent"="F:\Program Files\Winamp\winampa.exe" [05/14/2007 02:22 PM]
"McAfee Backup"="F:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [01/16/2007 12:59 PM]
"MBkLogOnHook"="F:\Program Files\McAfee\MBK\LogOnHook.exe" [01/08/2007 10:22 AM]
"Adobe Photo Downloader"="F:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [03/09/2007 11:09 AM]
"mcagent_exe"="F:\Program Files\McAfee.com\Agent\mcagent.exe" [08/03/2007 10:33 PM]
"COMODO Firewall Pro"="F:\Program Files\Comodo\Firewall\CPF.exe" [11/23/2007 09:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HXDL.EXE"="F:\Program Files\Cosmi\HelpExpress\HXDL.exe" []
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [02/28/2006 04:00 AM]
"swg"="F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/18/2007 09:35 AM]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 9:05:26 PM]
Microsoft Office.lnk - F:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 12:15:54 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
[at]=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
[at]=""


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3cdf0fe4-5776-11dc-b872-0004615d60ab}]
AutoRun\command- E:\LaunchU3.exe -a

*Newly Created Service* - GMER



-- End of Deckard's System Scanner: finished at 2007-12-16 21:07:33 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Sempron(tm) 
Percentage of Memory in Use: 53%
Physical Memory (total/avail): 255.48 MiB / 119.64 MiB
Pagefile Memory (total/avail): 636.16 MiB / 132.09 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1935.96 MiB

A: is Removable (No Media)
D: is CDROM (No Media)
F: is Fixed (NTFS) - 37.27 GiB total, 9.09 GiB free.

\\.\PHYSICALDRIVE0 - MAXTOR 6L040J2 - 37.28 GiB - 1 partition
  \PARTITION0 (bootable) - Installable File System - 37.27 GiB - F:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: McAfee Personal Firewall v (McAfee) Disabled
FW: COMODO Firewall Pro v2.3.035 (COMODO)
AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:[at]xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:[at]xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:[at]xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:[at]xpsp3res.dll,-20000"
"F:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="F:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=F:\Documents and Settings\All Users
APPDATA=F:\Documents and Settings\ryan\Application Data
CommonProgramFiles=F:\Program Files\Common Files
COMPUTERNAME=NONE-0BC89BFF5D
ComSpec=F:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=F:
HOMEPATH=\Documents and Settings\ryan
LOGONSERVER=\\NONE-0BC89BFF5D
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=F:\WINDOWS\system32;F:\WINDOWS;F:\WINDOWS\System32\Wbem;F:\Program Files\ATI Technologies\ATI.ACE\;F:\Program Files\Common Files\Adaptec Shared\System
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=F:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=F:
SystemRoot=F:\WINDOWS
TEMP=F:\DOCUME~1\ryan\LOCALS~1\Temp
TMP=F:\DOCUME~1\ryan\LOCALS~1\Temp
USERDOMAIN=NONE-0BC89BFF5D
USERNAME=ryan
USERPROFILE=F:\Documents and Settings\ryan
windir=F:\WINDOWS


-- User Profiles ---------------------------------------------------------------

roy and dena (admin)
ryan (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 F:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> F:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe® Photoshop® Album Starter Edition 3.2 --> MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
ATI - Software Uninstall Utility --> F:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> MsiExec.exe /I{EA9FAF16-0E5C-42C4-9742-9AF8D5F6D69B}
ATI Display Driver --> rundll32 F:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL[at]16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Axis & Allies Iron Blitz --> F:\WINDOWS\IsUninst.exe -f"F:\Program Files\Hasbro Interactive\Axis & Allies Iron Blitz\Uninst.isu"
BOClean --> F:\WINDOWS\UNBOC.EXE
COMODO Firewall Pro --> F:\Program Files\Comodo\Firewall\fwconfig.exe -uninstalln
Easy CD Creator 5 Basic --> MsiExec.exe /I{609F7AC8-C510-11D4-A788-009027ABA5D0}
eMusic - 50 Free MP3 offer --> "F:\Program Files\Winamp\eMusic\Uninst-eMusic-promotion.exe"
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "f:\program files\google\googletoolbar1.dll"
HijackThis 2.0.2 --> "F:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Lexmark Supplies Monitor --> F:\WINDOWS\system32\LXSMUNIN.EXE
Lexmark Z55 --> F:\WINDOWS\system32\spool\drivers\w32x86\3\LXAKUN5C.EXE -dLexmark Z55
McAfee SecurityCenter --> F:\Program Files\McAfee\MSC\mcuninst.exe
McAfee Uninstall Wizard --> F:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /uninstall=1 /interact=1 /script_proactive=0 /start=f:\PROGRA~1\mcafee.com\agent\uninst\comrem.dll::uninstall.htm
Microsoft Office 2000 SR-1 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Muiltmedia keyboard utility 1.1 --> F:\Program Files\Muiltmedia keyboard utility\1.1\uninst00.exe
NVIDIA Drivers --> F:\WINDOWS\system32\nvudisp.exe UninstallGUI
Opera 9.10 --> MsiExec.exe /X{5D582D33-EB35-4D77-B7AF-403322D947E6}
Photo Editor Plus --> F:\WINDOWS\uninst.exe -f"F:\Program Files\Cosmi\Photo Editor Plus\DeIsL1.isu"  -c"F:\Program Files\Cosmi\Photo Editor Plus\_ISREG32.DLL"
pic2print --> F:\WINDOWS\Unprint.exe F:\WINDOWS\Unprint.log "Uninstall pic2print"
Realtek AC'97 Audio --> RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
VIA Rhine-Family Fast Ethernet Adapter --> Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
VideoLAN VLC media player 0.8.6c --> F:\Program Files\VideoLAN\VLC\uninstall.exe
Warcraft III: All Products --> F:\WINDOWS\War3Unin.exe F:\WINDOWS\War3Unin.dat
Winamp (remove only) --> "F:\Program Files\Winamp\UninstWA.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type52781 / Error
Event Submitted/Written: 12/16/2007 08:01:38 PM / 12/16/2007 08:01:39 PM
Event ID/Source: 5051 / McLogEvent
Event Description:
A thread in process F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 2460 (0x99c)

Thread address : 0x12209B9C

Thread message :

 Build VSCORE.14.0.0.349 / 5100.194
 Object being scanned = \Device\HarddiskVolume1\Documents and Settings\ryan\Desktop\CFP_Setup_3.0.13.268_XP_Vista_x32.exe
 by F:\WINDOWS\Explorer.EXE
 4(0)(0)
 4(0)(0)
 7200(0)(0)
 7595(0)(0)
 7005(0)(0)
 7004(0)(0)
 5006(0)(0)
 5004(0)(0)

Event Record #/Type52771 / Error
Event Submitted/Written: 11/29/2007 06:06:19 PM / 11/29/2007 06:06:21 PM
Event ID/Source: 5051 / McLogEvent
Event Description:
A thread in process F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 2896 (0xb50)

Thread address : 0x7C90EB94

Thread message :

 Build VSCORE.14.0.0.349 / 5100.194
 Object being scanned = \Device\HarddiskVolume1\Documents and Settings\ryan\Desktop\CFP_Setup_3.0.13.268_XP_Vista_x32.exe
 by F:\WINDOWS\Explorer.EXE
 4(0)(0)
 4(0)(0)
 7200(0)(0)
 7595(0)(0)
 7005(0)(0)
 7004(0)(0)
 5006(0)(0)
 5004(0)(0)

Event Record #/Type52770 / Error
Event Submitted/Written: 11/29/2007 05:13:02 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16544, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type52759 / Error
Event Submitted/Written: 11/23/2007 09:42:55 AM
Event ID/Source: 5051 / McLogEvent
Event Description:
A thread in process F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 1072 (0x430)

Thread address : 0x12209B9C

Thread message :

 Build VSCORE.14.0.0.349 / 5100.194
 Object being scanned = \Device\HarddiskVolume1\Documents and Settings\ryan\Desktop\CFP_Setup_3.0.13.268_XP_Vista_x32.exe
 by F:\WINDOWS\Explorer.EXE
 4(0)(0)
 4(0)(0)
 7200(0)(0)
 7595(0)(0)
 7005(0)(0)
 7004(0)(0)
 5006(0)(0)
 5004(0)(0)

Event Record #/Type52752 / Error
Event Submitted/Written: 11/23/2007 09:14:56 AM
Event ID/Source: 5051 / McLogEvent
Event Description:
A thread in process F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated.
Thread id : 1096 (0x448)

Thread address : 0x12209B9C

Thread message :

 Build VSCORE.14.0.0.349 / 5100.194
 Object being scanned = \Device\HarddiskVolume1\Documents and Settings\ryan\Desktop\CFP_Setup_3.0.13.268_XP_Vista_x32.exe
 by F:\WINDOWS\Explorer.EXE
 4(0)(0)
 4(0)(0)
 7200(0)(0)
 7595(0)(0)
 7005(0)(0)
 7004(0)(0)
 5006(0)(0)
 5004(0)(0)



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3991 / Error
Event Submitted/Written: 12/16/2007 08:23:06 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type3990 / Error
Event Submitted/Written: 12/16/2007 08:23:06 PM
Event ID/Source: 17 / W32Time
Event Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Event Record #/Type3989 / Error
Event Submitted/Written: 12/16/2007 08:22:51 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Event Record #/Type3988 / Error
Event Submitted/Written: 12/16/2007 08:22:51 PM
Event ID/Source: 17 / W32Time
Event Description:
Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Event Record #/Type3983 / Error
Event Submitted/Written: 12/16/2007 08:10:29 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 29 minutes.
NtpClient has no source of accurate time.



-- End of Deckard's System Scanner: finished at 2007-12-16 21:07:33 ------------


Offline kesuki

  • Comodo Family Member
  • ***
  • Posts: 54
Re: mystery virus
« Reply #37 on: December 16, 2007, 10:45:35 PM »
here's the gmer file

Offline kesuki

  • Comodo Family Member
  • ***
  • Posts: 54
Re: mystery virus
« Reply #38 on: December 16, 2007, 10:51:40 PM »
So much for the slave drive thought. You're right, in that the cd-r is the way to go. And it sounds like you've got a workaround thru the VM to keep the malware at bay.

The rootkit stuff isn't letting you get to the c:\documents stuff, but it's there. Having found those services, and the two processes, we can probably disable the rootkit to get rid of it.

Download "OTMoveit by Oldtimer" from http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Give it these 5 pathnames:

C:\docume~1\ryan\locals~1\temp\ehsxbupoyf.exe
C:\docume~1\ryan\locals~1\temp\gotc.exe
C:\docume~1\ryan\locals~1\temp\pbt.exe
C:\DOCUME~1\Ryan\LOCALS~1\Temp\CmdLineExt02.dll
C:\Documents

Run the program, and it will undoubtedly ask you to reboot. That's when it will move those 5 files off to a backup directory. It will create a log and backup directory in c:\_OTMoveit.

After the reboot, do a Deckard's scan. There should be something more observable that what there has been, if the rootkit has been disabled.


i tried running that program, and it didnt ask to reboot, it simply said the files weren't there. i didnt dl the file from vmware first though.

Offline kesuki

  • Comodo Family Member
  • ***
  • Posts: 54
Re: mystery virus
« Reply #39 on: December 16, 2007, 11:02:36 PM »
rootkitrevealer ran after a reboot. heres the log from moms pc

HKLM\SECURITY\Policy\Secrets\SAC*   9/21/2007 12:03 PM   0 bytes   Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI*   9/21/2007 12:03 PM   0 bytes   Key name contains embedded nulls (*)
C:\Documents and Settings\Ryan\Local Settings\Temp\vminst.log   12/16/2007 9:14 PM   0 bytes   Hidden from Windows API.
C:\Documents and Settings\Ryan\Local Settings\Temp\vmware-Ryan\vmware-Ryan-3976.log   12/16/2007 9:17 PM   2.46 KB   Hidden from Windows API.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\1878HJEO\bullet[1]   12/16/2007 9:14 PM   3.09 KB   Hidden from Windows API.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\1878HJEO\dnserror[1]   12/16/2007 9:14 PM   6.38 KB   Hidden from Windows API.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\1878HJEO\errorPageStrings[1]   12/16/2007 8:17 PM   850 bytes   Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\1878HJEO\httpErrorPagesScripts[1]   12/16/2007 9:14 PM   7.40 KB   Hidden from Windows API.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\1878HJEO\rss[1].php   12/16/2007 8:52 PM   414 bytes   Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\1878HJEO\update[1].txt   12/16/2007 9:14 PM   11 bytes   Hidden from Windows API.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\2DGF0TCC\background_gradient[1]   12/11/2007 12:21 PM   453 bytes   Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\2DGF0TCC\bullet[1]   12/11/2007 12:21 PM   3.09 KB   Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\2DGF0TCC\info_48[2]   12/11/2007 12:21 PM   6.83 KB   Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\2DGF0TCC\tools[1]   12/9/2007 2:15 PM   3.48 KB   Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\C9VU92C0\cobia[1].png   12/13/2007 6:09 PM   6.07 KB   Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\C9VU92C0\dnserror[1]   12/9/2007 2:15 PM   6.38 KB   Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\JBS7N4V6\cot[1].js   12/16/2007 7:33 PM   4.75 KB   Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\JBS7N4V6\featuredvm[1].ini   12/16/2007 9:14 PM   334 bytes   Hidden from Windows API.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\JBS7N4V6\rss[1].php   12/16/2007 9:24 PM   414 bytes   Hidden from Windows API.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\PX3TU5MN\cobia[1].png   12/16/2007 9:14 PM   6.07 KB   Hidden from Windows API.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\WW98VFVL\featuredvm[2].ini   12/13/2007 6:09 PM   334 bytes   Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\WW98VFVL\update[1].txt   12/13/2007 6:09 PM   11 bytes   Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\YSD21V5W\cot[1].js   12/16/2007 9:24 PM   4.75 KB   Hidden from Windows API.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\YSD21V5W\forums_comodo_com[1].htm   12/16/2007 9:24 PM   79.99 KB   Hidden from Windows API.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\YSD21V5W\urchin[1].js   12/16/2007 7:33 PM   20.91 KB   Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Ryan\Local Settings\Temporary Internet Files\Content.IE5\YSD21V5W\urchin[2].js   12/16/2007 9:24 PM   20.91 KB   Hidden from Windows API.
C:\Documents and Settings\Ryan\My Documents\vmware-debian-etch-40r0\DebianEtch\DebianEtch.vmdk.lck   12/16/2007 9:15 PM   0 bytes   Hidden from Windows API.
C:\Documents and Settings\Ryan\My Documents\vmware-debian-etch-40r0\DebianEtch\DebianEtch.vmdk.lck\M16343.lck   12/16/2007 9:15 PM   512 bytes   Hidden from Windows API.
C:\Documents and Settings\Ryan\My Documents\vmware-debian-etch-40r0\DebianEtch\DebianEtch.vmem.lck   12/16/2007 9:15 PM   0 bytes   Hidden from Windows API.
C:\Documents and Settings\Ryan\My Documents\vmware-debian-etch-40r0\DebianEtch\DebianEtch.vmem.lck\M08203.lck   12/16/2007 9:15 PM   512 bytes   Hidden from Windows API.
C:\Documents and Settings\Ryan\My Documents\vmware-debian-etch-40r0\DebianEtch\DebianEtch.vmx.lck   12/16/2007 9:15 PM   0 bytes   Hidden from Windows API.
C:\Documents and Settings\Ryan\My Documents\vmware-debian-etch-40r0\DebianEtch\DebianEtch.vmx.lck\M44956.lck   12/16/2007 9:15 PM   512 bytes   Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_1437.xml   11/15/2007 8:14 AM   1.99 KB   Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2296.xml   12/15/2007 9:26 PM   43.98 KB   Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2298.xml   12/15/2007 9:26 PM   1.46 KB   Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2300.xml   12/15/2007 9:26 PM   41.10 KB   Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2302.xml   12/15/2007 9:26 PM   3.57 KB   Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2304.xml   12/15/2007 9:26 PM   17.58 KB   Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2306.xml   12/15/2007 9:26 PM   1.86 KB   Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2308.xml   12/15/2007 9:26 PM   1.55 KB   Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2310.xml   12/15/2007 9:26 PM   34.50 KB   Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2312.xml   12/15/2007 9:26 PM   2.01 KB   Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2314.xml   12/15/2007 9:26 PM   528.99 KB   Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2316.xml   12/15/2007 9:26 PM   177.61 KB   Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2318.xml   12/15/2007 9:26 PM   82.94 KB   Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2320.xml   12/15/2007 9:26 PM   316 bytes   Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2322.xml   12/15/2007 9:26 PM   114.38 KB   Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2324.xml   12/15/2007 9:26 PM   48.79 KB   Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2326.xml   12/16/2007 9:46 PM   43.98 KB   Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2328.xml   12/16/2007 9:46 PM   1.46 KB   Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2330.xml   12/16/2007 9:46 PM   41.10 KB   Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2332.xml   12/16/2007 9:46 PM   3.57 KB   Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2334.xml   12/16/2007 9:46 PM   17.58 KB   Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2336.xml   12/16/2007 9:46 PM   1.86 KB   Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2337.xml   12/16/2007 9:46 PM   1.99 KB   Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2338.xml   12/16/2007 9:46 PM   1.55 KB   Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2340.xml   12/16/2007 9:46 PM   34.50 KB   Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2342.xml   12/16/2007 9:46 PM   2.01 KB   Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2344.xml   12/16/2007 9:46 PM   528.99 KB   Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2346.xml   12/16/2007 9:46 PM   193.66 KB   Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2347.xml   12/16/2007 9:46 PM   27.66 KB   Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2348.xml   12/16/2007 9:46 PM   82.94 KB   Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2350.xml   12/16/2007 9:46 PM   1.70 KB   Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2351.xml   12/16/2007 9:46 PM   1.83 KB   Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2352.xml   12/16/2007 9:46 PM   95.55 KB   Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2353.xml   12/16/2007 9:46 PM   23.95 KB   Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2354.xml   12/16/2007 9:46 PM   44.04 KB   Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_2355.xml   12/16/2007 9:46 PM   12.30 KB   Hidden from Windows API.
C:\WINDOWS\pchealth\helpctr\DataColl\CollectedData_315.xml   10/2/2007 8:50 PM   2.69 KB   Visible in Windows API, but not in MFT or directory index.

Offline kesuki

  • Comodo Family Member
  • ***
  • Posts: 54
Re: mystery virus
« Reply #40 on: December 16, 2007, 11:14:24 PM »
i used that program (oldtimer) and clicked on the 'clean it' button which then asked to reboot, and now this thread loads in ie again, but it was very slow on loading....

Offline grue155

  • Comodo's Hero
  • *****
  • Posts: 1172
Re: mystery virus
« Reply #41 on: December 16, 2007, 11:15:36 PM »
The gmer log is still showing the processes running. If the OTmoveit log doesn't show a move, it didn't do anything. It may be necessary to run OTmoveit in safe mode (reboot, use the F8 key to get to Windows safe mode). The rootkit stuff may be blocking things.

The DSS scan of your dad's machine shows

O4 - HKCU\..\Run: [HXDL.EXE] F:\Program Files\Cosmi\HelpExpress\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE" -run

which is listed as an undesireable program, but not necesarily malware. And this process entry, I have a question about

F:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe

because of the typo in the name. The descriptions match, but this could be something trying really hard to appear to be a legit process.

Offline grue155

  • Comodo's Hero
  • *****
  • Posts: 1172
Re: mystery virus
« Reply #42 on: December 16, 2007, 11:21:12 PM »
I'm slightly out of sync here. Now that OTMoveit has done its stuff, can you give me a DSS of your dad's machine, which should tell if the rootkit has been disabled.

Offline kesuki

  • Comodo Family Member
  • ***
  • Posts: 54
Re: mystery virus
« Reply #43 on: December 16, 2007, 11:24:23 PM »
deckards scan moms pc after the reboot using otmoveit

Deckard's System Scanner v20071014.68
Run by Ryan on 2007-12-16 22:22:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 90% (more than 75%).


-- HijackThis (run as Ryan.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:08 PM, on 12/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Comodo\Firewall\cmdagent.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\VMware\VMware Player\vmplayer.exe
C:\Program Files\VMware\VMware Player\bin\vmware-vmx.exe
C:\Documents and Settings\Ryan\Desktop\that.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ryan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Player\hqtray.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: [at]xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190412329203
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7299ED8F-7AED-4932-9EE8-BBE715383490}: NameServer = 66.82.4.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{95A2B2F1-79A7-4950-86BA-0A760182C2F4}: NameServer = 66.82.4.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB54918E-B24B-47A1-811D-AF6E6FA3F22D}: NameServer = 66.115.71.53,24.196.64.53
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: EHSXBUPOYF - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Ryan\LOCALS~1\Temp\EHSXBUPOYF.exe
O23 - Service: GOTC - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Ryan\LOCALS~1\Temp\GOTC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: PBT - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Ryan\LOCALS~1\Temp\PBT.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 7903 bytes

-- Files created between 2007-11-16 and 2007-12-16 -----------------------------

2007-12-16 22:07:31         0 dr------- C:\Documents and Settings\LocalService\My Documents
2007-12-16 22:07:05         0 dr-h----- C:\Documents and Settings\LocalService\Recent
2007-12-16 19:08:34         0 d-------- C:\LxkZ55
2007-12-06 16:28:55         0 d-------- C:\Program Files\Trend Micro
2007-12-03 17:08:43         0 d-------- C:\WINDOWS\system32\ActiveScan
2007-11-25 20:39:48         0 d-------- C:\Program Files\Ubisoft
2007-11-25 18:07:41         0 d-------- C:\Program Files\3DO
2007-11-23 09:49:23       229 --a------ C:\WINDOWS\PowerReg.dat
2007-11-22 13:49:03         0 d-------- C:\Program Files\Hasbro Interactive
2007-11-22 13:48:57    299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2007-11-22 13:48:55         0 d-------- C:\Documents and Settings\Ryan\WINDOWS


-- Find3M Report ---------------------------------------------------------------

2007-12-16 22:18:02         0 d-------- C:\Documents and Settings\Ryan\Application Data\VMware
2007-12-03 18:06:09         0 d-------- C:\Program Files\Winamp
2007-12-03 17:55:43         0 d-------- C:\Program Files\Microsoft IntelliPoint
2007-12-03 17:53:28         0 d-------- C:\Program Files\Google
2007-11-25 20:39:47         0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-22 10:19:09         0 d-------- C:\Documents and Settings\Ryan\Application Data\Google
2007-11-08 18:38:34         0 d-------- C:\Program Files\Java
2007-10-23 17:27:07         0 d-------- C:\Documents and Settings\Ryan\Application Data\Macromedia
2007-10-16 10:49:14         0 d-------- C:\Program Files\InfraRecorder
2007-10-16 10:36:47         0 d-------- C:\Documents and Settings\Ryan\Application Data\InfraRecorder
2007-10-16 09:06:03         0 d-------- C:\Documents and Settings\Ryan\Application Data\DMCache
2007-09-23 11:06:53    106525 --a------ C:\WINDOWS\War3Unin.dat
2007-09-23 10:46:53      2829 --a------ C:\WINDOWS\War3Unin.pif
2007-09-23 10:46:53    139264 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2007-09-23 09:20:15  21643294 --a------ C:\sdat5125.exe <Not Verified; McAfee, Inc.; McAfee Core Components>
2007-09-21 11:48:14         0 -rahs---- C:\MSDOS.SYS
2007-09-21 11:48:14         0 -rahs---- C:\IO.SYS
2007-09-21 11:48:14         0 --a------ C:\CONFIG.SYS
2007-09-21 11:48:14         0 --a------ C:\AUTOEXEC.BAT
2007-09-21 11:45:04     21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-09-21 06:36:34        62 --ahs---- C:\Documents and Settings\Ryan\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [09/21/2007 04:22 PM]
"VMware hqtray"="C:\Program Files\VMware\VMware Player\hqtray.exe" [08/21/2007 06:56 PM]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [06/03/2004 07:51 PM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [05/14/2007 04:22 PM]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [09/22/2005 05:29 PM]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [01/11/2006 11:05 AM]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [07/08/2005 05:18 PM]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [08/10/2005 11:49 AM]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [08/11/2005 09:02 PM]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [11/21/2006 04:09 PM]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [07/09/2001 04:50 AM]
"LXSUPMON"="C:\WINDOWS\system32\LXSUPMON.exe" [10/21/2003 10:45 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 06:00 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [11/15/2007 05:31 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 2:15:54 AM]




-- End of Deckard's System Scanner: finished at 2007-12-16 22:23:52 ------------


Offline kesuki

  • Comodo Family Member
  • ***
  • Posts: 54
Re: mystery virus
« Reply #44 on: December 16, 2007, 11:36:27 PM »
from safe mode:

C:\docume~1\ryan\locals~1\temp\ehsxbupoyf.exe moved successfully.
C:\docume~1\ryan\locals~1\temp\gotc.exe moved successfully.
C:\docume~1\ryan\locals~1\temp\pbt.exe moved successfully.
File/Folder C:\DOCUME~1\Ryan\LOCALS~1\Temp\CmdLineExt02.dll not found.
File/Folder C:\Documents not found.

btw supposedly the first 3 files are 'services' run by rootkit revealer.  which didnt run until after i rebooted...

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek